# Non-sensitive env shared across all jitsi components. Sensitive values
# (XMPP component passwords) live in the 20-secrets.yaml that is NOT
# committed to git — see scripts/generate-secrets.sh.
apiVersion: v1
kind: ConfigMap
metadata:
  name: jitsi-config
  namespace: jitsi
data:
  # === Public-facing config ===
  PUBLIC_URL: "https://meet.it.financeflow.de"
  TZ: "Europe/Berlin"

  # === XMPP topology (internal hostnames — do not change without
  # updating all 4 components in lockstep) ===
  XMPP_DOMAIN: "meet.jitsi"
  XMPP_AUTH_DOMAIN: "auth.meet.jitsi"
  XMPP_INTERNAL_MUC_DOMAIN: "internal-muc.meet.jitsi"
  XMPP_MUC_DOMAIN: "muc.meet.jitsi"
  XMPP_GUEST_DOMAIN: "guest.meet.jitsi"
  XMPP_RECORDER_DOMAIN: "recorder.meet.jitsi"
  XMPP_SERVER: "prosody.jitsi.svc.cluster.local"
  XMPP_BOSH_URL_BASE: "http://prosody.jitsi.svc.cluster.local:5280"

  # === JWT-based auth — Prosody validates HS256 tokens signed by
  # Embertime. Only invited participants get a valid token (with
  # context.user populated, optional moderator flag). The shared HMAC
  # secret lives in the Kubernetes Secret as JWT_APP_SECRET. Guests are
  # disabled — a missing/invalid token means no entry. ===
  ENABLE_AUTH: "1"
  AUTH_TYPE: "jwt"
  ENABLE_GUESTS: "0"
  JWT_APP_ID: "embertime"
  JWT_ACCEPTED_ISSUERS: "embertime"
  JWT_ACCEPTED_AUDIENCES: "embertime"
  TOKEN_AUTH_URL: ""

  # === TLS handled by ingress cert-manager, not by the jitsi/web container ===
  ENABLE_LETSENCRYPT: "0"
  ENABLE_HTTP_REDIRECT: "0"
  DISABLE_HTTPS: "1"

  # === Videobridge brewery (where jicofo finds JVBs over XMPP) ===
  JVB_BREWERY_MUC: "jvbbrewery"

  # === STUN/TURN — our own coturn (deploy 80-coturn.yaml). JVB itself
  # uses STUN to discover its public-side mapping; clients additionally
  # learn the TURN endpoints from Prosody via mod_external_services and
  # fall back to relay when direct UDP doesn't reach JVB:10001 (typical
  # for mobile-carrier NATs). ===
  JVB_STUN_SERVERS: "meet.it.financeflow.de:3478"
  TURN_HOST: "meet.it.financeflow.de"
  TURNS_HOST: "meet.it.financeflow.de"
  TURN_PORT: "3478"
  TURNS_PORT: "5349"
  TURN_TRANSPORT: "udp,tcp"

  # === UX / lockdown ===
  # Pre-join page on — gives joiners a chance to set audio/video before
  # they hit the room.
  ENABLE_PREJOIN_PAGE: "1"
  # Welcome page off — visiting https://meet.it.financeflow.de/ bare
  # shows a minimal shell instead of a "create new room" form. Combined
  # with AUTH=jwt, the only way in is via a signed deep-link Embertime
  # hands out.
  ENABLE_WELCOME_PAGE: "0"
  ENABLE_CLOSE_PAGE: "0"
  ENABLE_TRANSCRIPTIONS: "0"
  ENABLE_RECORDING: "0"

  # === Bandwidth defaults — keep things sane on mobile ===
  # Cap outgoing video at 480p so even slow connections can stream.
  # Users on fat pipes can still manually bump it via the toolbar.
  RESOLUTION: "480"
  RESOLUTION_MIN: "180"
  # In rooms with >5 people, new joiners start with video muted —
  # saves bandwidth in larger team meetings, easy 1-click to enable.
  START_VIDEO_MUTED: "5"